Skip to content

Commit 12ee497

Browse files
committed
move query to src, rename and refactor
1 parent 3363f5e commit 12ee497

3 files changed

Lines changed: 8 additions & 13 deletions

File tree

javascript/ql/test/experimental/Security/CWE-073/ExpressHbsLFR.ql renamed to javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
/**
2-
* @name Express-Hbs Local File Read and Potential RCE
3-
* @description Writing user input directly to res.render of ExpressJS used with Hbs can lead to LFR
2+
* @name Template Object Injection
3+
* @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
44
* @kind path-problem
55
* @problem.severity error
66
* @precision high
7-
* @id js/express-hbs-lfr
7+
* @id js/template-object-injection
88
* @tags security
99
* external/cwe/cwe-073
1010
* external/cwe/cwe-094
@@ -13,15 +13,9 @@
1313
import javascript
1414
import DataFlow
1515
import PathGraph
16-
import Express
17-
import semmle.javascript.DynamicPropertyAccess
1816

1917
predicate isUsingHbsEngine() {
20-
exists(MethodCallExpr method |
21-
method.getMethodName() = "set" and
22-
Express::appCreation().flowsToExpr(method.getReceiver()) and
23-
method.getArgument(1).getStringValue().matches("hbs")
24-
)
18+
Express::appCreation().getAMethodCall("set").getArgument(1).mayHaveStringValue("hbs")
2519
}
2620

2721
class HbsLFRTaint extends TaintTracking::Configuration {
@@ -39,6 +33,7 @@ class HbsLFRTaint extends TaintTracking::Configuration {
3933
}
4034
}
4135

42-
from HbsLFRTaint cfg, Node source, Node sink
43-
where cfg.hasFlow(source, sink)
44-
select source, sink
36+
from HbsLFRTaint cfg, PathNode source, PathNode sink
37+
where cfg.hasFlowPath(source, sink)
38+
select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
39+
"user-provided value"

javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR.js renamed to javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection.js

File renamed without changes.

javascript/ql/test/experimental/Security/CWE-073/documentation-examples/ExpressHbsLFR_fixed.js renamed to javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection_fixed.js

File renamed without changes.

0 commit comments

Comments
 (0)